# Happy 16shop hunting
## What is 16shop?
16shop is an infamous phishing kit targets Apple users.
- ref.
- [Analysis of Phishing mail. Drone bought from Apple.](http://netsecops.info/bought-a-drone-from-apple-really/)
- [Indonesian Spam Communities](http://www.deependresearch.org/2018/09/indonesian-spam-communities.html)
It's a known fact that you can confirm information of an owner who runs a 16shop phishing website by sending a HTTP request to `16shop[.]online`.
```shell=
$ http -f POST http://16shop.online/api/setting/get_setting.php domain=DOMAIN
```
Can I automate 16shop hunting tasks? (gathering 16shop domains, fetching owner's information, etc.)
Let's try it!
## Gathering phishy domains
Let's grab phishy domains which contain `apple`.
```shell=
$ curl -s "https://urlscan.io/api/v1/search/?q=PhishTank%20OR%20OpenPhish%20OR%20CertStream-Suspicious" | jq -r '.results[] | select(.page.domain | match("apple")) | .page.domain'
idapple-maps[.]com
www.idapple-maps[.]com
appleid.apple.payment-account218[.]com
www.appleid.apple.com.app-stores[.]me
appleid.apple.com.app-stores[.]me
manage-account-locked-services.apple-accountconfirmation[.]com
apple-accountconfirmation[.]com
appleid.apple.servicemyaccount-resulotioncentrebilling[.]com
```
OK, let's save domains as `domains.txt`. Some of them might be 16shop domains.
```shell=
$ curl -s "https://urlscan.io/api/v1/search/?q=PhishTank%20OR%20OpenPhish%20OR%20CertStream-Suspicious" | jq -r '.results[] | select(.page.domain | match("apple")) | .page.domain' > domains.txt
```
## Fetching owner's information
Let's write a Ruby script for checking & fetching 16shop information.
```ruby
require "json"
require "httpx"
url = "http://16shop.online/api/setting/get_setting.php"
domains = File.readlines("domains.txt").map(&:chomp)
domains.each do |domain|
res = HTTPX.post(url, form: { domain: domain })
json = JSON.parse(res.body.to_s)
p json
end
```
```shell
$ ruby test.rb
{"email_result"=>nil, "lock_platform"=>nil, "sender_mail"=>nil, "site_parameter"=>nil, "site_password"=>nil, "site_param_on"=>nil, "site_pass_on"=>nil, "send_login"=>nil, "mix_result"=>nil, "get_photo"=>nil, "get_vbv"=>nil,"get_email"=>nil, "get_bank"=>nil, "double_cc"=>nil, "onetime"=>nil, "encrypt_html"=>nil, "block_host"=>nil, "block_ua"=>nil, "block_iprange"=>nil, "block_isp"=>nil, "block_vpn"=>nil, "theme"=>nil, "letter"=>nil}
{"email_result"=>nil, "lock_platform"=>nil, "sender_mail"=>nil, "site_parameter"=>nil, "site_password"=>nil, "site_param_on"=>nil, "site_pass_on"=>nil, "send_login"=>nil, "mix_result"=>nil, "get_photo"=>nil, "get_vbv"=>nil,"get_email"=>nil, "get_bank"=>nil, "double_cc"=>nil, "onetime"=>nil, "encrypt_html"=>nil, "block_host"=>nil, "block_ua"=>nil, "block_iprange"=>nil, "block_isp"=>nil, "block_vpn"=>nil, "theme"=>nil, "letter"=>nil}
{"email_result"=>nil, "lock_platform"=>nil, "sender_mail"=>nil, "site_parameter"=>nil, "site_password"=>nil, "site_param_on"=>nil, "site_pass_on"=>nil, "send_login"=>nil, "mix_result"=>nil, "get_photo"=>nil, "get_vbv"=>nil,"get_email"=>nil, "get_bank"=>nil, "double_cc"=>nil, "onetime"=>nil, "encrypt_html"=>nil, "block_host"=>nil, "block_ua"=>nil, "block_iprange"=>nil, "block_isp"=>nil, "block_vpn"=>nil, "theme"=>nil, "letter"=>nil}
{"email_result"=>"juriah170777@gmail.com", "lock_platform"=>"", "sender_mail"=>"admin@16digit.shop", "site_parameter"=>"19plus", "site_password"=>"16shop", "site_param_on"=>"on", "site_pass_on"=>"", "send_login"=>"", "mix_result"=>"on", "get_photo"=>"on", "get_vbv"=>"on", "get_email"=>"", "get_bank"=>"", "double_cc"=>"", "onetime"=>"", "encrypt_html"=>"", "block_host"=>"on", "block_ua"=>"on", "block_iprange"=>"on", "block_isp"=>"on", "block_vpn"=>"on", "theme"=>"apple", "letter"=>"invoice"}
...
```
It works but there is a need to reduce trashy responses.
```ruby
require "json"
require "httpx"
url = "http://16shop.online/api/setting/get_setting.php"
domains = File.readlines("domains.txt").map(&:chomp)
domains.map do |domain|
res = HTTPX.post(url, form: { domain: domain })
JSON.parse(res.body.to_s)
end.reject do |json|
json["email_result"].nil?
end.each do |json|
p json
end
```
```shell
$ ruby test.rb
{"email_result"=>"juriah170777@gmail.com", "lock_platform"=>"", "sender_mail"=>"admin@16digit.shop", "site_parameter"=>"19plus", "site_password"=>"16shop", "site_param_on"=>"on", "site_pass_on"=>"", "send_login"=>"", "mix_result"=>"on", "get_photo"=>"on", "get_vbv"=>"on", "get_email"=>"", "get_bank"=>"", "double_cc"=>"", "onetime"=>"", "encrypt_html"=>"", "block_host"=>"on", "block_ua"=>"on", "block_iprange"=>"on", "block_isp"=>"on", "block_vpn"=>"on", "theme"=>"apple", "letter"=>"invoice"}
{"email_result"=>"result.seleketeb@yandex.com", "lock_platform"=>"", "sender_mail"=>"admin@16digit.shop", "site_parameter"=>"redirection_page", "site_password"=>"16shop", "site_param_on"=>"on", "site_pass_on"=>"", "send_login"=>"on", "mix_result"=>"", "get_photo"=>"", "get_vbv"=>"on", "get_email"=>"", "get_bank"=>"on", "double_cc"=>"", "onetime"=>"", "encrypt_html"=>"", "block_host"=>"on", "block_ua"=>"on", "block_iprange"=>"on", "block_isp"=>"on", "block_vpn"=>"on", "theme"=>"apple", "letter"=>"invoice"}
{"email_result"=>"santana.sigh@yandex.com", "lock_platform"=>"", "sender_mail"=>"skychordvip@vipsky.com", "site_parameter"=>"16shop", "site_password"=>"16shop", "site_param_on"=>"on", "site_pass_on"=>"", "send_login"=>"on","mix_result"=>"", "get_photo"=>"", "get_vbv"=>"on", "get_email"=>"on", "get_bank"=>"", "double_cc"=>"", "onetime"=>"", "encrypt_html"=>"", "block_host"=>"on", "block_ua"=>"on", "block_iprange"=>"on", "block_isp"=>"on", "block_vpn"=>"on", "theme"=>"apple", "letter"=>"locked"}
{"email_result"=>"ayahsate@yandex.com", "lock_platform"=>"", "sender_mail"=>"admin@16digit.shop", "site_parameter"=>"reset", "site_password"=>"16shop", "site_param_on"=>"on", "site_pass_on"=>"", "send_login"=>"", "mix_result"=>"on", "get_photo"=>"", "get_vbv"=>"", "get_email"=>"on", "get_bank"=>"on", "double_cc"=>"", "onetime"=>"on", "encrypt_html"=>"", "block_host"=>"on", "block_ua"=>"on", "block_iprange"=>"on", "block_isp"=>"on", "block_vpn"=>"on", "theme"=>"classic", "letter"=>"invoice"}
{"email_result"=>"kardusbekas02@yandex.com", "lock_platform"=>"", "sender_mail"=>"admin@16digit.shop", "site_parameter"=>"verify", "site_password"=>"update", "site_param_on"=>"on", "site_pass_on"=>"on", "send_login"=>"on", "mix_result"=>"", "get_photo"=>"on", "get_vbv"=>"on", "get_email"=>"", "get_bank"=>"", "double_cc"=>"", "onetime"=>"on", "encrypt_html"=>"on", "block_host"=>"on", "block_ua"=>"", "block_iprange"=>"on", "block_isp"=>"on", "block_vpn"=>"", "theme"=>"classic", "letter"=>"locked"}
{"email_result"=>"rogresult@yandex.com", "lock_platform"=>"", "sender_mail"=>"admin@16digit.shop", "site_parameter"=>"t4ng4us", "site_password"=>"16shop", "site_param_on"=>"on", "site_pass_on"=>"", "send_login"=>"on", "mix_result"=>"on", "get_photo"=>"on", "get_vbv"=>"on", "get_email"=>"", "get_bank"=>"on", "double_cc"=>"", "onetime"=>"on", "encrypt_html"=>"", "block_host"=>"on", "block_ua"=>"on", "block_iprange"=>"on", "block_isp"=>"on", "block_vpn"=>"", "theme"=>"apple", "letter"=>"locked"}
{"email_result"=>"rezultaustralia@yandex.com", "lock_platform"=>"", "sender_mail"=>"admin@16digit.shop", "site_parameter"=>"Verify", "site_password"=>"16shop", "site_param_on"=>"on", "site_pass_on"=>"", "send_login"=>"on", "mix_result"=>"on", "get_photo"=>"", "get_vbv"=>"", "get_email"=>"on", "get_bank"=>"on", "double_cc"=>"", "onetime"=>"on", "encrypt_html"=>"", "block_host"=>"on", "block_ua"=>"on", "block_iprange"=>"on", "block_isp"=>"on", "block_vpn"=>"on", "theme"=>"apple", "letter"=>"invoice"}
...
```
Got it! Let's enjoy happy hunting. :D
---
written by [@ninoseki](https://twitter.com/ninoseki)